By default {{pkg|networkmanager-openvpn}} plugin appends DNS servers provided by OpenVPN to {{ic|/etc/resolv.conf}}. This may result result DNS instability (leakage).

+

By default {{pkg|networkmanager-openvpn}} plugin appends DNS servers provided by OpenVPN to {{ic|/etc/resolv.conf}}. This may result in DNS instability (leakage).

The settings user interface does not provide any way to change this behavior, but it is possible to [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92 completely override] DNS using connection configuration file.

The settings user interface does not provide any way to change this behavior, but it is possible to [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92 completely override] DNS using connection configuration file.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Connect to a VPN provided by a third party

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client config profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, see Category:VPN providers for examples that can be adapted to other providers. OpenVPN (client) in Linux containers also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.

Note: Most free VPN providers will (often only) offer PPTP, which is drastically easier to setup and configure, but not secure.

Create a Public Key Infrastructure (PKI) from scratch

When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the Easy-RSA article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in /etc/openvpn/server at this point:

ca.crt
dh.pem
servername.crt
servername.key
ta.key

Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.

A basic L3 IP routing configuration

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.

With the release of v2.4, server configurations are stored in /etc/openvpn/server and client configurations are stored in /etc/openvpn/client and each mode has its own respective systemd unit, namely, openvpn-client@.service and openvpn-server@.service.

Example configuration

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

Hardening the server

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.

The .ovpn client profile must contain a matching cipher and auth line to work properly (at least with the iOS and Android client).

Using tls-cipher incorrectly may cause difficulty with debugging connections and may not be necessary. See OpenVPN’s community wiki for more information.

Enabling compression

Since OpenVPN v2.4 it is possible to use LZ4 compression over lzo. LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use lzo comp-lzo. Do not enable both compression options at the same time.

To do so, configure /etc/openvpn/server/server.conf as such:

/etc/openvpn/server/server.conf

.
compress lz4-v2
push "compress lz4-v2"
.

On the client set --compress lz4[2], although this may be deprecated in the near future.

Deviating from the standard port and/or protocol

Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.

To do so, configure /etc/openvpn/server/server.conf as such:

/etc/openvpn/server/server.conf

.
port 443
proto tcp
.

Note: The .ovpn client profile must contain a matching port and proto line to work properly!

TCP vs UDP

There are subtle differences between TCP and UDP.

TCP

So-called "stateful protocol."

High reliability due to error correction (i.e. waits for packet acknowledgment).

Potentially slower than UDP.

UDP

So-called "stateless protocol."

Less reliable than TCP as no error correction is in use.

Potentially faster than TCP.

Note: It is generally a bad idea to use TCP for VPN unless your connection to the server is very stable. High reliability sounds great in theory but any disruption (packet drop, lag spikes, etc...) to the connection will potentially snowball into a TCP Meltdown[3].

Run as unprivileged user

Using the options user nobody and group nobody in the configuration file makes OpenVPN drop its root privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.

As it could seem to require manual action to manage the routes, the options user nobody and group nobody might seem undesirable. Depending on setup, however, there are different ways to handle these situations:

For errors of the unit, a simple way is to edit it and add a Restart=on-failure to the [Service] section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.

The package contains the /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so, which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its README).

The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing nobody. The advantage is that this avoids potential risks when sharing a user among daemons:

The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.

It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki (howto). The howto assumes the presence of System V init, rather than Systemd and does not cover the handling of --up/--down scripts - those should be handled the same way as the ip command, with additional attention to access rights.

Note: Due to a bug in OpenVPN 2.4.0, the persist-tun option mentioned in the howtos should not be used, otherwise new routes/IPs pushed on reconnect will be ignored by the client.

Note: If using a firewall, make sure that IP packets on the TUN device are not blocked.

Configure the MTU with Fragment and MSS

If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, DNS, NFS), it may be needed to set a MTU value manually.

The following message may indicate the MTU value should be adjusted:

read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)

In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [4]:

# ping -M do -s 1500 -c 1 example.com

Decrease the 1500 value by 10 each time, until the ping succeeds.

Note: Clients that do not support the 'fragment' directive (e.g. OpenELEC, iOS app) are not able to connect to a server that uses the fragment directive. See mtu-test as alternative solution.

Update the client configuration to use the succeeded MTU value, e.g.:

/etc/openvpn/client/client.conf

remote example.com 1194
...
tun-mtu 1400
mssfix 1360

OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since your client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:

/etc/openvpn/client/client.conf

remote example.com 1194
...
mtu-test
...

IPv6

Connect to the server via IPv6

In order to enable Dual Stack for OpenVPN, you have to change proto udp to proto udp6 in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.

Provide IPv6 inside the tunnel

In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).

ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.

After you have received a prefix (a /64 is recommended), append the following to the server.conf:

server-ipv6 2001:db8:0:123::/64

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:

push "route-ipv6 2001:db8:0:abc::/64"

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

Starting OpenVPN

Manual startup

To troubleshoot a VPN connection, start the client's daemon manually with openvpn /etc/openvpn/client/client.conf as root. The server can be started the same way using its own configuration file (e.g., openvpn /etc/openvpn/server/server.conf).

systemd service configuration

To start the OpenVPN server automatically at system boot, enableopenvpn-server@<configuration>.service on the applicable machine. For a client, enableopenvpn-client@<configuration>.service instead. (Leave .conf out of the <configuration> string.)

For example, if the client configuration file is /etc/openvpn/client/client.conf, the service name is openvpn-client@client.service. Or, if the server configuration file is /etc/openvpn/server/server.conf, the service name is openvpn-server@server.service.

Letting NetworkManager start a connection

On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection:

Gnome configuration

If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install networkmanager-openvpn. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import #The client config profile, if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via journalctl -b -u NetworkManager).

Routing client traffic through the server

By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, appendpush "redirect-gateway def1 bypass-dhcp" to the configuration file (i.e. /etc/openvpn/server/server.conf) [5] of the server. Note this is not a requirement and may even give performance issue:

iptables

In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [6] on the server, assuming the interface you want to forward to is named eth0:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [7]:

Warning: There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the OpenVPN documentation on this topic for more details.

If you have multiple tun or tap interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. tun22 instead of tun. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.

Prevent leaks if VPN goes down

The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.

Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.

Warning: DNS will not work unless you run your own DNS server like BIND

Otherwise, you will need to allow dns leak. Be sure to trust your DNS server!

# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53

vpnfailsafe

Alternatively, the vpnfailsafe (vpnfailsafe-gitAUR) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two do not need to be combined.

L3 IPv4 routing

This section describes how to connect client/server LANs to each other using L3 IPv4 routing.

Prerequisites for routing a LAN

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.

Routing tables

The factual accuracy of this article or section is disputed.

Reason: Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used (Discuss in Talk:OpenVPN#)

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.

Add a static route on each host on the LAN that needs to send IP packets back to the VPN.

Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

/etc/openvpn/server/server.conf

push "route 10.66.0.0 255.255.255.0"

Note: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

Connect the client LAN to a server

Prerequisites:

Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.

Each client's certificate has a unique Common Name, in this case bugs.

The server may not use the duplicate-cn directive in its config file.

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

/etc/openvpn/ccd/bugs

iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server/server.conf

client-config-dir ccd
route 192.168.4.0 255.255.255.0

Note: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

Note: Remember to make sure that all the LANs or the needed hosts can route to all the destinations.

Connect clients and client LANs

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:

/etc/openvpn/server/server.conf

client-to-client

In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

Note: You may need to adjust the firewall to allowing client traffic passing through the VPN server.

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.

Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by resolvconf, and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.

For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the client.up and client.down scripts packaged in /usr/share/openvpn/contrib/pull-resolv-conf/. See their comments on how to install them to /etc/openvpn/client/. The following is an excerpt of a resulting client configuration using the scripts in conjunction with resolvconf and options to #Run as unprivileged user:

Update resolv-conf script

The openvpn-update-resolv-conf script is available as an alternative to packaged scripts. It needs to be saved for example at /etc/openvpn/update-resolv-conf and made executable with chmod.

Once the script is installed add lines like the following into your OpenVPN client configuration file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Note: If manually placing the script on the filesystem, be sure to have openresolv installed.

Now, when you launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when you close the connection.

Note: When using openresolv with the -p or -x options in a script (as both the included client.up and update-resolv-conf scripts currently do), a DNS resolver like dnsmasq or unbound is required for openresolv to correctly update /etc/resolv.conf. In contrast, when using the default DNS resolution from libc the -p and -x options must be removed in order for /etc/resolv.conf to be correctly updated by openresolv.
For example, if the script contains a command like resolvconf -p -a and the default DNS resolver from libc is being used, change the command in the script to be resolvconf -a .

Update systemd-resolved script

Since systemd 229, systemd-networkd has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as openresolv may not work reliably when /etc/resolv.conf is managed by systemd-resolved, and will not work at all if you are using resolve instead of dns in your /etc/nsswitch.conf file. The update-systemd-resolved script is another alternative and links OpenVPN with systemd-resolved via DBus to update the DNS records.

Override DNS servers using NetworkManager

By default networkmanager-openvpn plugin appends DNS servers provided by OpenVPN to /etc/resolv.conf. This may result in DNS instability (leakage).

The settings user interface does not provide any way to change this behavior, but it is possible to completely override DNS using connection configuration file.

To use DNS settings provided by the VPN connection add dns-priority=-1 (ipv4 section) to the file located at /etc/NetworkManager/system-connections/your_vpn_name, where your_vpn_name is the name of your VPN connection.

L2 Ethernet bridging

This article or section needs expansion.

Reason: Please add a well thought out section on L2 bridging. (Discuss in Talk:OpenVPN#)

Config generators

Warning: Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.

ovpngen

The ovpngenAUR package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.

The resulting iphone.ovpn can be edited if desired as the script does insert some commented lines.

The client expects this file to be located in /etc/openvpn/client/iphone.conf. Note the change in file extension from 'ovpn' to 'conf' in this case.

Tip: If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!

Connection drops out after some time of inactivity

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalivedirective to the server's configuration:

/etc/openvpn/server/server.conf

.
.
keepalive 10 120
.
.

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.

PID files not present

The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change openvpn-client@.service using a drop-in snippet:

Route configuration fails with systemd-networkd

When using systemd-networkd to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.

With systemd-233 (currently in testing), systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:

/etc/systemd/network/90-tun-ignore.network

[Match]
Name=tun*
[Link]
Unmanaged=true

Restartsystemd-networkd.service to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run networkctl. The output should have a line similar to the following: